Meet the mother-load: C:\Program Files\Applications

All Windows 8 applications in the developer preview are installed under the clandestine C:\Program Files\Applications location. I will hazard a guess and say that once the Windows App Store goes online it will install all apps under that folder. Currently the folder is an invisible one and cannot be accessed from Windows Explorer user interface on a new Win8 developer preview install.

Here’s an example of some of the 29 apps Win8 apps installed on the Win8 developer preview:

And here’s the hidden folder backing it up:

Gaining Access to C:\Program Files\Applications

In essence you’ll need to navigate to that folder, hit “Security Tab” and set yourself up as the owner. Let me walk you through that process step-by-step.

2. Observe in shock and dismay the system dialogue saying you don’t own a folder on your own machine. Hit “Continue”.

3. After hitting “Continue”, you’ll be confronted by the following dialogue:

Do not hit “close”, instead click the “security tab” link.

4. In the following system dialogue click “advanced”.

5. Click the “change” link in the owner security field.

6. Add in your live ID or windows 8 user name to the “select user or group” system dialogue.

7. Click “OK”, Click “OK”, Click “Ok”.

8. Type in “C:\Program Files\Applications” in the Windows Explorer address bar and hit enter. You now have access to the Applications folder.

What type of apps ship with Windows 8?

Looking at this folder it’s fairly easy to determine what type of apps ship with Windows 8 developer preview.

What’s in C:\Program Files\Applications?

For HTML apps the folder contains all of their source code and it can modified.

For C# apps the folder contains the XAML source code and a compiled reverse-engineerable and modifiable version of the C# code.

For C++ directX apps the folder contains compiled binaries. Honestly, C++ isn’t my specialty so I’ll avoid discussing it at any great length.

Reverse Engineering HTML & Javscript & CSS Win8 apps

There’s a fundamental design flaw in the concept of HTML apps. HTML, Javascript and CSS are all interpreted languages, and not compiled languages. Meaning you have to ship the source code for your app instead of shipping compiled binaries. That puts the Intellectual Property of anyone choosing to write any HTML & JS & CSS only app for any platform under risk.

For example, here’s the HTML source code for the Tweet@rama Win8 app code:

And here’s the tweet@rama Javascript code that does the actual posting to Twitter:

Modifying HTML & Javscript & CSS Win8 apps

Part of the problem with interpreted languages is that they don’t compile until the very instance they are executed. Which allows evil-doers to edit the code prior to execution.

For example, here’s a print screen of the tweet@rama default app;

Let’s modify the HTML, Javascript and CSS for this application: (for the sake of brevity we’ll only walkthrough a simple HTML change)

By modifying the HTML & CSS & Javascript source code we can change the visual design to something a bit more visually pleasing:

Notice that we’ve changed both the design and behaviour of the app by modifying the source code. The new design has a different title, and the new behaviour is using the picture of the logged in user as the background. We have the power to completely change both the visual design and the executing source code of HTML & CSS & JS win8 apps.

New breed of viruses?

Any unauthorized malware that gains access to C:\Program Files\Applications could potentially modify source code to execute in malicious ways. Since this is the direction Win8 apps are taking writing this type of viruses is likely to become a growth industry.

For example we could look at the tweet@rama app once again. The most valuable asset that app has is our twitter oauth credentials. A virus would be able to modify the tweet@rama source code so once it executes it retrieves those credentials and sends those to a malicious remote endpoint. The following code interjected into the Javascript code of tweet@rama would do just that:

New breed of cracks?

Any unauthorized executable that gains access to C:\Program Files\Applications could potentially modify source code to workaround Windows Store app purchasing and licensing logic. The whole concept of Trials and feature purchases are based on Javascript, C# or C++ code invoking Windows 8 RuntimeTime APIs for the Windows Store. Any change to that code could potentially change the purchasing and licensing logic for that app.

Editing the XAML is fairly trivial since it’s stored as a plain text file:

Editing C# can be done using Reflector’s Reflxil MSIL Editor:

With some light modifications to the XAML and C# code we can change the display and behaviour of the app:

Reverse Engineering C++ Win8 apps

I’ll confess to not being a strong C++ developer (gasp!) so I’ll keep this brief by showing C++ apps are also susceptible to reverse engineering. It appears that Microsoft’s Store app is written in C++. The most important asset that app would have are the endpoints for the Microsoft store. Opening the C:\Windows\System32\WinStore\WinStoreUI.dll in notepad and searching for “https” addresses reveals the following URL: